1. Field of the Invention
The present invention relates to a firewall and more specifically to a firewall in communications using IP over ATM protocols.
2. Description of the Related Art
The Internet, which is increasingly being spread, employs TCP (Transmission Control Protocol)/IP (Internet Protocol) as its standard protocol. A system has been discussed which allows communications based on TCP/IP (TCP/IP communications) to be implemented over ATM networks. Such a system is called the IP over ATM. If this technology is established, the Internet can be implemented using the ATM networks.
With the spread of the Internet, opportunities to connect terminals, such as computers, to public networks have been increasing. Under these circumstances, it is important to protect terminals (information that the terminals store) from unauthorized access from the public network side. In this case, a function of blocking a particular type of traffic becomes necessary. The function of blocking a particular type of traffic to thereby increase the security of computers and so on or a device for performing such a function is called a firewall.
FIG. 1 shows an example of installing a firewall in the IP over an ATM system. In this example, terminals (DTE: Date Terminal Equipment) 102 and 107, which can perform TCP/IP communications, are connected to an ATM network 101. A LAN 103, which is an Ethernet network based on TCP/IP, is connected to the ATM network 101 via a router 105, which has a firewall function to allow selective access to the LAN 103 through the ATM network 101.
When, in the above system, the terminal 102 makes access to the terminal 107 to conform to TCP/IP (TCP/IP-based access or TCP/IP access), an ATM connection is first set up between the terminals 102 and 107 and then a TCP/IP connection is set up on that ATM connection.
When the terminal 102 makes TCP/IP access to the terminal 107 within the LAN 103, an ATM connection is first set up between the terminal 102 and the router 105. The terminal 102 then sends an access request to the router 105 over that ATM connection. Upon receipt of the access request, the router 105 decides whether the access request is to be granted or denied in accordance with the IP address and the TCP port number. When the access request is granted, the router 105 sets up a TCP/IP connection between the terminals 102 and 104 utilizing the ATM connection between the terminal 102 and the router 105, so that TCP/IP communications are started. When the access request is denied, on the other hand, the router 105 disconnects the ATM connection to the terminal 102.
Thus, the conventional system prevents unauthorized access to resources within the LAN 103 by the firewall function installed in the router 105, which selectively grants access to the LAN 103 over the ATM network 101.
In the IP over ATM system, in order to make a decision as to whether an access request is to be granted or denied at the TCP/IP level, an ATM connection is once set up without fail regardless of whether the access request is granted or denied at a later time. (An access request which will be granted is referred to as a permissible access request, whereas an access request which will be denied is referred to as the non-permissible access request.) In the example of FIG. 1, an ATM connection is set up between the terminal 102 and the router 105.
With the ATM network 101, once an ATM connection is set up for a call, the call will be billed (or charged). Thus, even when an access request by the terminal 102 to the terminal 104 is regulated (rejected) by the router 105, the terminal 102 will be charged though it receives no service. This is because an ATM connection is set up between it and the router.
Since an ATM connection is set up even for a non-permissible access, network resources are used in vain. For example, even if a request for access by the terminal 102 to the terminal 104 is a non-permissible access request, an ATM connection is set up between the terminal 102 and the router 105, so that a portion of the band of a line 106 that connects the ATM network 101 to the router 105 is assigned to that ATM connection. As a result, the available band of the line 106 may become reduced. A shortage of the available band of the line 106 results in failure to set up an ATM connection on the line. Thus, even if a permissible access request is made, it becomes impossible to make access to the LAN 103. Thus, there is the possibility that a non-permissible access may disturb permissible accesses.
The above problem arises not only in the IP over ATM system but also in a system in which data in a LAN, such as an Ethernet or token ring network, are transferred over an ATM network (such a system may be called LAN emulation).
It is an object of the present invention to provide a system which implements a firewall while making effective use of network resources.
A firewall system of the present invention which, for use with a communications system in which, over a connection-oriented network that exchanges fixed-length packets to conform to a first protocol, communication traffic that conforms to a second protocol is transferred, controls communications that conform to the second protocol and comprises: a switching node for exchanging fixed-length packets and extracting from received fixed-length packets a fixed-length packet that contains a request made by a first terminal for access to a second terminal, the access request being based on the second protocol; and an agent unit, installed in the network, for judging whether to grant the request for access to the second terminal or not on the basis of information contained in the fixed-length packet extracted by the switching node.
According to the above arrangement, a determination can be made as to whether to grant access to the second terminal without establishing a connection between the switching node and the second terminal. That is, such a determination can be made without using a line connecting the network and the second terminal.